[4] Generowanie raportów za pomocą aureport
6 marca 2022Możliwe jest wyświetlenie zbiorcze dzienników audit za pomocą polecenia [aureport], które znajduje się w pakiecie audit.
[1] Oto jak używać polecenia [aureport].
# pokaż cały raport bez wprowadzania argumentów [root@vlsr01 ~]# aureport Summary Report ====================== Range of time in logs: 06.03.2022 09:48:57.070 - 06.03.2022 15:46:14.148 Selected time for report: 06.03.2022 09:48:57 - 06.03.2022 15:46:14.148 Number of changes in configuration: 112 Number of changes to accounts, groups, or roles: 1 Number of logins: 3 Number of failed logins: 1 Number of authentications: 8 Number of failed authentications: 9 Number of users: 3 Number of terminals: 7 Number of host names: 5 Number of executables: 12 Number of commands: 17 Number of files: 1 Number of AVC's: 4 Number of MAC events: 8 Number of failed syscalls: 4 Number of anomaly events: 0 Number of responses to anomaly events: 0 Number of crypto events: 91 Number of integrity events: 0 Number of virt events: 0 Number of keys: 0 Number of process IDs: 91 Number of events: 553 # pokaż dzienniki uwierzytelniania [root@vlsr01 ~]# aureport -au Authentication Report ============================================ # date time acct host term exe success event ============================================ 1.06.03.2022 09:49:28 root 192.168.100.155 ssh /usr/sbin/sshd yes 80 2.06.03.2022 10:00:26 root 192.168.100.155 ssh /usr/sbin/sshd yes 73 3.06.03.2022 10:43:04 user01 vlsr02.zicher.lab pts/0 /usr/bin/su yes 171 4.06.03.2022 10:43:13 user01 ? /dev/pts/0 /usr/bin/sudo yes 175 5.06.03.2022 10:43:47 user01 vlsr02.zicher.lab pts/0 /usr/bin/su yes 184 6.06.03.2022 10:47:40 user01 vlsr01.zicher.lab pts/0 /usr/bin/su yes 120 7.06.03.2022 10:48:18 user01 vlsr01.zicher.lab pts/0 /usr/bin/su yes 134 8.06.03.2022 10:48:29 user01 ? /dev/pts/0 /usr/bin/sudo no 138 9.06.03.2022 10:48:34 user01 ? /dev/pts/0 /usr/bin/sudo no 139 10.06.03.2022 10:48:38 user01 ? /dev/pts/0 /usr/bin/sudo no 140 11.06.03.2022 10:49:22 user01 192.168.100.155 ssh /usr/sbin/sshd no 149 12.06.03.2022 10:49:28 user01 192.168.100.155 ssh /usr/sbin/sshd no 150 13.06.03.2022 10:49:32 user01 192.168.100.155 ssh /usr/sbin/sshd no 151 14.06.03.2022 10:49:36 user01 192.168.100.155 ssh /usr/sbin/sshd no 152 15.06.03.2022 11:08:22 user01 192.168.100.155 ssh /usr/sbin/sshd no 198 16.06.03.2022 11:08:34 user01 192.168.100.155 ssh /usr/sbin/sshd no 199 17.06.03.2022 11:09:14 user01 192.168.100.155 ssh /usr/sbin/sshd yes 201 # pokaż dzienniki uwierzytelniania zakończone niepowodzeniem [root@vlsr01 ~]# aureport -au --failed --summary Failed Authentication Summary Report ============================= total acct ============================= 9 user01 # wyświetl rodzaj modyfikacji logów kont użytkowników [root@vlsr01 ~]# aureport -m -i Account Modifications Report ================================================= # date time auid addr term exe acct success event ================================================= 1.06.03.2022 11:09:07 root vlsr01.zicher.lab pts/0 /usr/bin/passwd user01 yes 200 # wyświetl rodzaj modyfikacji logów kont użytkowników od tego miesiąca [root@vlsr01 ~]# aureport -m -i --start this-month Account Modifications Report ================================================= # date time auid addr term exe acct success event ================================================= 1.06.03.2022 11:09:07 root vlsr01.zicher.lab pts/0 /usr/bin/passwd user01 yes 200 # wyświetl rodzaj wykonywanych logów [root@vlsr01 ~]# aureport -x -i Executable Report ==================================== # date time exe term host auid event ====================================1.06.03.2022 09:48:57 /usr/sbin/auditctl (none) ? unset 7 2.06.03.2022 09:48:57 /usr/sbin/auditctl (none) ? unset 8 3.06.03.2022 09:48:57 /usr/sbin/auditctl (none) ? unset 9 4.06.03.2022 09:48:57 /usr/lib/systemd/systemd ? ? unset 10# wyświetl rodzaj wykonywanych logów od 05.03.2022 do 06.03.2022 [root@vlsr01 ~]# aureport -x -i --start 05.03.2022 --end 06.03.2022 Executable Report ==================================== # date time exe term host auid event ==================================== 1.06.03.2022 09:48:57 /usr/sbin/auditctl (none) ? unset 7 2.06.03.2022 09:48:57 /usr/sbin/auditctl (none) ? unset 8
[2] Wyszukaj i pokaż logi za pomocą [ausearch] oraz [aureport].
# wyszukaj i pokaż logowania sudo dla użytkownika z ID 1000 [root@vlsr01 ~]# ausearch -x sudo -ua 1000 | aureport -au Authentication Report ============================================ # date time acct host term exe success event ============================================1.06.03.2022 10:43:13 user01 ? /dev/pts/0 /usr/bin/sudo yes 175 2.06.03.2022 10:48:29 user01 ? /dev/pts/0 /usr/bin/sudo no 138 3.06.03.2022 10:48:34 user01 ? /dev/pts/0 /usr/bin/sudo no 139 4.06.03.2022 10:48:38 user01 ? /dev/pts/0 /usr/bin/sudo no 140# wyszukaj i pokaż wykonane logi dla UserID 1000 [root@vlsr01 ~]# ausearch -ui 1000 | aureport -x -i Executable Report ==================================== # date time exe term host auid event ====================================1.06.03.2022 10:43:13 /usr/bin/sudo /dev/pts/0 ? root 175 2.06.03.2022 10:43:13 /usr/bin/sudo /dev/pts/0 ? root 176 3.06.03.2022 10:43:13 /usr/bin/sudo pts/0 ? root 177 4. 06.03.2022 10:44:01 /usr/bin/sudo /dev/pts/0 ? root 188